b"REVIEW OF WEB APPLICATIONS SECURITY\n      AND INTRUSION DETECTION\n  IN AIR TRAFFIC CONTROL SYSTEMS\n        Federal Aviation Administration\n\n         Report Number: FI-2009-049\n          Date Issued: May 4, 2009\n\x0c           U.S. Department of\n                                                             Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Review of Web                                          Date:    May 4, 2009\n           Applications Security and Intrusion Detection\n           in Air Traffic Control Systems\n           Report Number: FI-2009-049\n  From:    Rebecca C. Leng                                                       Reply to\n                                                                                 Attn. of:   JA-20\n           Assistant Inspector General for Financial\n            and Information Technology Audits\n    To:    Acting Federal Aviation Administrator\n\n           This report presents the results of our audit of Web applications security and\n           intrusion detection in air traffic control (ATC) systems. This audit was requested\n           by the Ranking Minority members of the House Committee on Transportation and\n           Infrastructure and its Aviation Subcommittee.\n\n           Homeland Security Presidential Directive (HSPD)\xe2\x80\x937 designates air traffic control\n           systems as part of the Nation\xe2\x80\x99s critical infrastructure due to the important role\n           commercial aviation plays in fostering and sustaining the national economy and\n           ensuring citizens\xe2\x80\x99 safety and mobility. Essentially, HSPD-7 requires the Secretary\n           of Transportation to ensure that the ATC system is protected from both physical\n           and cyber security threats to prevent disruptions in air travel and commerce.\n\n           The need to protect ATC systems from cyber attacks requires enhanced attention\n           because the Federal Aviation Administration (FAA) has increasingly turned\n           toward the use of commercial software and Internet Protocol (IP)1-based\n           technologies to modernize ATC systems. While use of commercial IP products,\n           such as Web applications,2 has enabled FAA to efficiently collect and disseminate\n           information to facilitate ATC services, it inevitably poses a higher security risk to\n           ATC systems than when they were developed primarily with proprietary software.\n           1\n               Internet Protocol (IP) is a communications standard describing how data are sent from one computer to\n                another over the Internet.\n           2\n               A Web application is a software program running on a Web server that can be accessed by using a Web\n                browser. A Web server may host multiple Web applications. For purposes of this report, we use \xe2\x80\x9cWeb\n                application\xe2\x80\x9d to refer to either a Web application or a Web server.\n\x0c                                                                                 2\n\n\n\nNow, attackers can take advantage of software vulnerabilities in commercial IP\nproducts to exploit ATC systems, which is especially worrisome at a time when\nthe Nation is facing increased threats from sophisticated nation-state-sponsored\ncyber attacks.\n\nAccordingly, the objectives of this performance audit were to determine whether\n(1) Web applications used in supporting ATC operations are properly secured to\nprevent unauthorized access to ATC systems, and (2) FAA\xe2\x80\x99s network intrusion-\ndetection capability is effective in monitoring ATC cyber-security incidents.\n\nKPMG, LLP, of Washington, D.C., under contract to the Office of Inspector\nGeneral (OIG), completed the audit work for the first objective. This work\nincluded vulnerability assessment and penetration testing on selected Web\napplications used in supporting ATC operations. We performed a quality control\nreview of the audit work carried out by KPMG to ensure that it complied with\ngenerally accepted government auditing standards. In our opinion, KPMG\xe2\x80\x99s audit\nwork complied with applicable standards. We supplemented KPMG\xe2\x80\x99s work by\nconducting an analysis of significant cyber incidents reported by FAA in recent\nyears. KPMG\xe2\x80\x99s report detailing findings of vulnerabilities and penetration results\nwas provided to FAA in November 2008 for corrective action. This report\nsummarizes both KPMG\xe2\x80\x99s and our results.\n\nWe performed audit work to address the second objective. This work included\nanalysis of FAA\xe2\x80\x99s cyber intrusion-detection capability and interviews with key\npersonnel. We conducted our audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives. Details of our scope and methodology are described\nin Exhibit A.\n\n\nRESULTS IN BRIEF\nWeb applications used in supporting ATC systems operations are not properly\nsecured to prevent attacks or unauthorized access. In addition, FAA has not\nestablished adequate intrusion-detection capability to monitor and detect potential\ncyber security incidents at ATC facilities.\n\x0c                                                                                                       3\n\n\n\nWeb Applications Security\n\nWe tested 70 Web applications, some of which are used to disseminate\ninformation to the public over the Internet, such as communications frequencies\nfor pilots and controllers; others are used internally within FAA to support eight\nATC systems.3 Our test identified a total of 763 high-risk, 504 medium-risk, and\n2,590 low-risk vulnerabilities,4 such as weak passwords and unprotected critical\nfile folders.\n\nBy exploiting these vulnerabilities, the public could gain unauthorized access to\ninformation stored on Web application computers. Further, through these\nvulnerabilities, internal FAA users (employees, contractors, industry partners, etc.)\ncould gain unauthorized access to ATC systems because the Web applications\noften act as front-end interfaces (providing front-door access) to ATC systems. In\naddition, these vulnerabilities could allow attackers to compromise FAA user\ncomputers by injecting malicious code onto the computers. During the audit,\nKPMG and OIG staff gained unauthorized access to information stored on Web\napplication computers and an ATC system, and confirmed system vulnerability to\nmalicious code attacks.\n\n    \xc2\xbe Unauthorized access was gained to information stored on Web application\n      computers associated with the Traffic Flow Management Infrastructure\n      system, Juneau Aviation Weather System, and the Albuquerque Air Traffic\n      Control Tower;\n\n    \xc2\xbe Unauthorized access was gained to an ATC system used to monitor critical\n      power supply at six en route centers; and\n\n    \xc2\xbe Vulnerability found on Web applications associated with the Traffic Flow\n      Management Infrastructure system was confirmed, which could allow\n      attackers to install malicious codes on FAA users\xe2\x80\x99 computers.\n\n\n\n\n3\n  While Web technologies are used to support many ATC systems, this audit covered only the following\n  eight systems: FAA\xe2\x80\x99s Air Route Traffic Control Center Critical Essential Power System Power\n  Monitoring System (APMS), TECHNET, En Route Automation Modernization/En Route Information\n  Display System (ERAM/ERIDS), Computer-Aided Engineering Graphics (CAEG), Automated Inventory\n  Tracking System ver. 2 (AITSv2), Airport Surveillance Radar\xe2\x80\x94Local Area Network (ASRLAN), Juneau\n  Aviation Weather System (JAWS), and Traffic Flow Management Infrastructure (TFM-I).\n4\n  High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as\n  allowing execution of remote commands. Medium-risk and low-risk vulnerabilities may provide an\n  attacker with useful information, such as error messages revealing system configuration, that they can\n  then use to compromise a computer system.\n\x0c                                                                                                            4\n\n\n\nThis occurred because (1) Web applications were not adequately configured5 to\nprevent unauthorized access and (2) Web application software with known\nvulnerabilities was not corrected in a timely matter by installing readily available\nsecurity software patches released to the public by software vendors.\n\nIntrusion-detection Capabilities\n\nTo effectively monitor and detect potential cyber-security incidents on a network,\nintrusion-detection-system (IDS) sensors need to be installed at various critical\nnetwork points. There, sensors automatically generate security alerts when\npotential cyber attacks are detected so that further incident response can be made.\nFAA\xe2\x80\x99s intrusion-detection capability is ineffective because of inadequate\ndeployment of IDS sensors at the facility level and a lack of timely remediation of\nincidents detected. Specifically,\n\n     \xc2\xbe ATC systems are located at hundreds of operational facilities such\n       as en route centers, terminal radar approach control facilities, and airport\n       control towers. However, IDS sensors have been deployed to only 11 of\n       these ATC facilities. Further, none of the IDS sensors are installed to\n       monitor ATC operational systems at these facilities, such as the IP-based\n       network associated with the Host Computer System. Instead, these sensors\n       provide monitoring coverage only for mission-support systems, such as e-\n       mail systems.\n\n     \xc2\xbe During Fiscal Year (FY) 2008, more than 800 cyber incident alerts were\n       issued to the Air Traffic Organization (ATO), which is responsible for ATC\n       operations. As of the end of FY 2008, over 150 incidents (17 percent) had\n       not been remediated, including critical incidents in which hackers may have\n       taken over control of ATO computers.\n\nWithout fully deploying IDS monitoring capability at ATC facilities and timely\nremediation against cyber incidents, FAA cannot take effective action to stop or\nprevent these cyber attacks, thus increasing the risk of further attacks on ATC\nsystems.\n\nIn recent years, serious cyber attacks have occurred on FAA networks. For\nexample, in February 2009, hackers compromised an FAA public-facing Web\napplication computer and used it as a conduit to gain unauthorized access to\npersonally identifiable information (PII) on 48,000 current and former FAA\nemployees. In 2008 hackers took control of FAA\xe2\x80\x99s critical network servers\n5\n    Software configuration involves setting up a software system for one\xe2\x80\x99s particular uses, such as changing a\n    factory-set default password of \xe2\x80\x9cPASSWORD\xe2\x80\x9d to one less easily guessed.\n\x0c                                                                                                      5\n\n\n\n(domain controllers) and gained the power to shut down the servers, which could\ncause serious disruption to FAA\xe2\x80\x99s mission-support network. In 2006 a viral\nattack, widely distributed on the Internet, spread to FAA\xe2\x80\x99s ATC systems, forcing\nFAA to shut down a portion of its ATC systems in Alaska.\n\nIn our opinion, unless effective action is taken quickly, it is likely to be a matter of\nwhen, not if, ATC systems encounter attacks that do serious harm to ATC\noperations. As indicated by the former Director of National Intelligence,\n\n                   \xe2\x80\x9cOur information infrastructure . . . increasingly is\n                   being targeted for exploitation and potentially for\n                   disruption or destruction. . . . Terrorist groups . . .\n                   have expressed the desire to use cyber means to target\n                   the United States. . . . It is no longer sufficient for the\n                   U.S. Government to discover cyber intrusions in its\n                   networks, clean up the damage, and take legal or\n                   political steps to deter further intrusions. We must\n                   take proactive measures to detect and prevent\n                   intrusions from whatever source, as they happen, and\n                   before they can do significant damage.\xe2\x80\x9d6\n\nWe made a series of recommendations beginning on page 11 to help enhance\nsecurity over Web applications used in supporting ATC operations and improve\nthe effectiveness of FAA\xe2\x80\x99s cyber-incident-monitoring and -response capabilities.\nFAA concurred with all of our recommendations, and recognized that constant\nvigilance and effective action are the keys to addressing cyber security in its ATC\nsystems. The response can be found in its entirety in Appendix A.\n\n\nFINDINGS\n\nWeb Applications Used in Supporting ATC Systems Operations\nAre Not Properly Secured\n\nWeb applications used in supporting ATC systems operations are not properly\nsecured to prevent attacks or unauthorized access. KPMG staff conducted two\nseparate security tests\xe2\x80\x94one originated from the Internet and the other from FAA\nHeadquarters\xe2\x80\x99 mission-support network. Due to time and resource constraints,\nonly 70 Web applications were tested. Thirty-five of these Web applications are\n\n6\n    Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on\n    Intelligence (J. Michael McConnell, Director of National Intelligence, February 5, 2008).\n\x0c                                                                                6\n\n\n\nused by FAA to disseminate information to the public over the Internet, such as\ncommunications frequencies for pilots and controllers; others are used internally\nwithin FAA to support the eight ATC systems. The tests identified a total of 763\nhigh-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities (see Table 1).\n\n  Table 1. Internet-based and Internal Security Testing Results\n\n                             Number of       Number of Vulnerabilities\n                        Web Applications         and Risk Level\n                                 Tested       High    Medium        Low\n         Internet-\n         based\n         (Public Use)                  35       212         169    1,037\n         Internal\n         (FAA Use)                     35       551         335    1,553\n          Total                        70       763         504    2,590\n        Source: KPMG\n\nHigh-risk vulnerabilities may provide an attacker with immediate access into a\ncomputer system, such as allowing execution of remote commands. Medium-risk\nand low-risk vulnerabilities may provide an attacker with useful information, such\nas error messages revealing system configuration, that they can then use to\ncompromise a computer system. The following are examples of risks to ATC\nsystems as a result of Web application vulnerabilities:\n\n  \xc2\xbe Vulnerabilities allowed unauthorized access to information stored on Web\n    application computers. Vulnerabilities found in Web application computers\n    associated with the Traffic Flow Management Infrastructure system, Juneau\n    Aviation Weather System, and the Albuquerque Air Traffic Control Tower\n    allowed KPMG and OIG staff to gain unauthorized access to data stored on\n    these computers, including program source code and sensitive PII.\n\n  \xc2\xbe Vulnerable Web applications were used as conduits to gain unauthorized\n    access to and potentially compromise ATC system operations. Through\n    vulnerable Web applications, KPMG staff gained unauthorized access to the\n    Power Monitoring System at six en route centers\xe2\x80\x94Anchorage, Boston,\n    Denver, Oakland, Salt Lake City, and Seattle. While this system is not used\n    to separate aircraft, it provides the critical mission-support function of\n    eliminating voltage dropouts and surges caused by sources outside ATC\n    facilities. The unauthorized access enabled KPMG staff to generate power\n    condition reports, which could be used by attackers as intelligence\n    information for planning attacks. A similar incident actually occurred in\n\x0c                                                                                                         7\n\n\n\n         February 2009. By using a vulnerable public-facing Web application\n         computer as a conduit, hackers gained unauthorized access to 48,000 PII\n         records stored in an FAA database.\n\n     \xc2\xbe Vulnerable Web applications could allow attackers to execute malicious\n       codes on FAA users\xe2\x80\x99 computers. This vulnerability was found on Web\n       applications associated with the Traffic Flow Management Infrastructure\n       system. Once infected via these applications, FAA user computers would\n       take orders from hackers to attack other computers or send critical network\n       information to hackers (\xe2\x80\x9cexfiltration\xe2\x80\x9d).7 A similar incident actually occurred\n       in August 2008. By executing malicious codes, hackers took control of\n       FAA\xe2\x80\x99s critical network servers (domain controllers) and gained the power to\n       shut down the servers, which could have caused serious disruption to FAA\xe2\x80\x99s\n       mission-support network.\n\nSo far most attacks have primarily disrupted FAA\xe2\x80\x99s ATC mission-support\nfunction. However, it is important to understand that attacks can spread from the\nmission-support network to the operational network\xe2\x80\x94where real-time\nsurveillance, communications, and flight information is processed to separate\naircraft\xe2\x80\x94because of network connections, as shown in Figure 1.\n\n                Figure 1. ATC IP-based Network Infrastructurea\n\n\n\n\na\n    This infrastructure consists primarily of the backbone FAA Telecommunications Infrastructure (FTI) and\n    several local area networks; FAA relies on this infrastructure to conduct ATC operations. ATC systems\n    are hosted on local area networks at ATC facilities, which have connections to both FTI operational and\n    mission-support networks. (Source: OIG)\n\n\n\n\n7\n    In recent years, huge amounts of U.S. Government (including Department of Transportation) and\n    commercial data were \xe2\x80\x9cexfiltrated\xe2\x80\x9d to foreign domains on the Internet. This has resulted in a sweeping\n    effort to strengthen Government-wide cyber security by the Office of Management and Budget.\n\x0c                                                                              8\n\n\n\nBecause of network connections\xe2\x80\x94authorized (such as performing system\nmaintenance) and unauthorized (such as inadequate network setup)\xe2\x80\x94between\nFAA\xe2\x80\x99s mission-support and ATC systems, the risk of cyber attacks is magnified.\nThese FAA security-related events of recent years highlight the risk of cyber\nattacks:\n\n  \xc2\xbe In FY 2006, we reported that FAA\xe2\x80\x99s Remote Maintenance Monitoring\n    System was connected to the less-secure mission-support network, which\n    created security exposure to ATC operations;\n\n  \xc2\xbe In FY 2006, a viral attack originating from the Internet spread from\n    administrative networks to ATC systems, forcing FAA to shut down a\n    portion of its ATC systems in Alaska;\n\n  \xc2\xbe In FY 2008, hackers took over FAA computers in Alaska, becoming FAA\n    \xe2\x80\x9cinsiders.\xe2\x80\x9d By taking advantage of FAA\xe2\x80\x99s interconnected networks, hackers\n    later stole FAA\xe2\x80\x99s enterprise administrator\xe2\x80\x99s password in Oklahoma, installed\n    malicious codes with the stolen password, and compromised FAA\xe2\x80\x99s domain\n    controller in its Western Pacific Region. At that point, hackers had the\n    ability to obtain more than 40,000 FAA user IDs, passwords, and other\n    information used to control a portion of the FAA mission-support network.\n\n  \xc2\xbe In FY 2009, hackers compromised an FAA public-facing Web application\n    computer on the Internet and used it as a conduit to enter an FAA internal\n    database server. Included in the server was PII on 48,000 current and former\n    FAA employees, including names, dates of birth, Social Security numbers,\n    pay grades/bands, addresses, veterans\xe2\x80\x99 preferences, usernames and\n    passwords, and education/medical/health information.\n\nThese Web vulnerabilities occurred because (1) Web applications were not\nadequately configured to prevent unauthorized access and (2) Web application\nsoftware with known vulnerabilities was not corrected in a timely manner by\ninstalling readily available security software patches released to the public by\nsoftware vendors.\n\n\nIntrusion-detection Capabilities Are Not Adequate to Protect\nATC Systems\n\nAs previously shown in Figure 1, the ATC IP-based network infrastructure\nconsists primarily of its backbone FTI wide-area network and numerous local area\nnetworks within ATC facilities. While the FTI wide-area network is monitored by\nan FAA contractor, FAA relies on DOT\xe2\x80\x99s Cyber Security Management Center\n\x0c                                                                                     9\n\n\n\n(CSMC) to monitor cyber incidents at the facility level. Adequate monitoring is\ncritical for ensuring timely detection of network security incidents. However,\nFAA\xe2\x80\x99s intrusion-detection capability is ineffective because of inadequate\ndeployment of IDS sensors and a lack of timely remediation of incidents detected.\nSpecifically,\n\n  \xc2\xbe Cyber incidents were not effectively monitored at ATC facilities. To\n    identify potential cyber incidents, FAA needs IDS sensors installed at key\n    locations to collect critical information for security analyses. ATC systems\n    are located at hundreds of operational facilities such as en route centers,\n    terminal radar approach control facilities, airport control towers, and flight\n    service stations. However, IDS sensors have been deployed to only 11 of\n    these ATC facilities\xe2\x80\x94five en route centers, four terminal radar approach\n    control facilities or airport traffic control towers, and the Technical Center in\n    Atlantic City and Mike Monroney Aeronautical Center in Oklahoma City\n    (see Table 2).\n\n                     Table 2. CSMC IDS Sensor Coverage\n\n                                                         Number of Facilities with\n                                                Total     IDS Sensors Installed\n                                             Number                      Mission-\n                                                    of         ATC        support\n           Major ATC Facilities             Facilities      Network       Network\n           En route centers                         21            0              5\n           Terminal radar approach\n           control facilities                     166              0            4\n           Airport traffic control towers         512\n           Flight service stations                 33              0            0\n           FAA Technical Center                     1              0            1\n           Mike Monroney\n           Aeronautical Center                      1              0            1\n           Remote Sites                             *              0            0\n             Total                               734#              0           11\n       *\n           in the thousands\n       #\n        excluding remote sites\n       Source: FAA\n\n     Further, these IDS sensors provide monitoring coverage only for mission-\n     support systems at these facilities, not for ATC operational systems. As a\n     result, CSMC has little visibility into operations at ATC facilities, and\n     cannot identify potential cyber attacks against ATC operational systems.\n\x0c                                                                                10\n\n\n\n\n     According to CSMC and ATO management officials, effective IDS\n     deployment requires close cooperation between CSMC and ATO. However,\n     this cooperation has been lacking. Insufficient understanding of FAA\n     network infrastructure was also a contributing factor, resulting in\n     deployment of IDS sensors on an ad-hoc basis, which made CSMC\n     monitoring of ATC systems less effective. For example, FAA has not fully\n     studied the connectivity of its network infrastructure (network mapping),\n     including the locations of critical network points.\n\n  \xc2\xbe Cyber incidents were not remediated in a timely manner. Once a cyber\n     incident is detected, it must be examined and remediated quickly to\n     minimize the security risk to the network. During FY 2008, ATO received\n     877 cyber-incident alerts from CSMC. As of the end of FY 2008, 151\n     incidents (17 percent) were still unresolved. Fifty of these had been open for\n     more than 3 months, including critical incidents in which hackers may have\n     taken over control of ATO computers.\n\n     According to both CSMC and ATO officials, the lack of needed\n     information\xe2\x80\x94such as IDS sensor data, critical data being collected on a\n     network device in real-time (logging), and complete IP address\n     information\xe2\x80\x94was a major factor in being unable to pinpoint the actual\n     network location when an incident occurred or the computer affected by the\n     incident. This lack of information has significantly impeded ATO\xe2\x80\x99s ability\n     to respond to cyber incidents. For example, in March 2008, ATO officials\n     directed CSMC to close over 60 unresolved cyber incidents identified in FYs\n     2006 and 2007, stating that they were \xe2\x80\x9cnonactionable due to inability to\n     perform further analysis because of time considerations.\xe2\x80\x9d\n\nThe Federal Information Security Management Act of 2002 requires agencies to\nhave procedures for detecting, reporting, and responding to security incidents.\nWithout effectively deploying IDS monitoring capability at ATC facilities, FAA\ncannot be fully aware of potential cyber attacks on ATC systems. More seriously,\nthe lack of timely remediation against cyber incidents left unsecured FAA\ncomputers on its networks. As a result, FAA cannot take effective action to stop\nor prevent these cyber attacks, which increases the risk of further attacks on ATC\nsystems.\n\x0c                                                                                     11\n\n\n\n\nRECOMMENDATIONS\n\nWe recommend that the Acting Federal Aviation Administrator direct FAA\xe2\x80\x99s\nChief Information Officer and ATO\xe2\x80\x99s Chief Operating Officer to:\n\n1.    Ensure that all Web applications used in ATC systems are configured in\n      compliance with Government security standards;\n\n2.    Strengthen the patch management process by (a) identifying Web\n      applications with known vulnerabilities, and (b) promptly installing relevant\n      security patches in a timely manner;\n\n3.    Take immediate action to correct high-risk vulnerabilities and establish a\n      timetable for remediation of all remaining vulnerabilities identified during\n      this audit;\n\n4.    Resolve differences with CSMC and establish a timetable for deploying IDS\n      monitoring devices covering local area networks at all ATC facilities; and\n\n5.    In conjunction with CSMC officials, identify the information needed for\n      remediation and establish procedures to ensure timely remediation of cyber\n      incidents based on incident criticality as assessed by CSMC.\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nWe provided FAA with our draft report on March 3, 2009, and received its\nresponse on April 16, 2009. FAA concurred with all of our recommendations, and\nsaid that it recognized that constant vigilance and effective action are the keys to\naddressing cyber security in its ATC systems. FAA also pointed out that a critical\nelement of its cyber security is the separation of the network infrastructure\nbetween the National Airspace System (NAS) for aircraft separation and FAA\nadministrative/ATC mission-support systems. We recognize the separation of\nFAA\xe2\x80\x99s network infrastructure. However, as stated in our report, cyber attacks can\nspread from the mission-support network to the NAS network because of system\ninterconnections.\n\nFAA further stated that it recognized the importance of dealing with all system\nvulnerabilities and will treat vulnerabilities in this report with the utmost diligence.\n\x0c                                                                                 12\n\n\n\nFAA\xe2\x80\x99s response can be found in its entirety in Appendix A. The responses to our\nrecommendations are summarized as follows:\n\nRecommendation 1: Concurred. FAA stated that it is actively analyzing the\nidentified vulnerabilities, and will develop new Plans of Action and Milestones\n(POA&Ms) based on the analysis. The analysis was scheduled for completion by\nApril 30, 2009. FAA uses the DOT Secure Web Application Standards as the\nbasis for securely configuring Web applications, and will ensure that the Web\napplications identified in our report are in compliance with these standards. New\nsystem POA&M items will be developed by July 31, 2009.\n\nRecommendation 2:            Concurred.       FAA stated that security patching\nvulnerabilities identified in our report will be addressed via the ATO Certification\nand Accreditation Remediation Management process. The ATO audit/compliance\nteam will audit the existence of appropriate security patches.                Patch\nimplementation will be performed in accordance with established FAA\nconfiguration management processes. These corrective actions will be included in\nsystem POA&Ms by July 31, 2009.\n\nRecommendation 3: Concurred. FAA will ensure that the high-rated\nvulnerabilities correlated to FAA systems are handled with high priority for\nimmediate implementation. Implementation will be tracked via the POA&M\nprocess. FAA is now reviewing detailed data from our testing to assess the\ncriticality of the vulnerabilities identified. The review was scheduled for\ncompletion by April 30, 2009. Based on the findings, FAA will develop a\ntimetable for remediation by July 31, 2009. However, FAA agreed to take\nimmediate action to fix critical vulnerabilities. In follow-up meetings, FAA\ncommitted to sharing its April evaluation results and action plan on fixing critical\nvulnerabilities with us in May 2009.\n\n\nRecommendation 4: Concurred. While FAA believes that its relationship with\nCSMC is essentially sound, within 30 days the FAA CIO\xe2\x80\x94along with the CIO for\nATO\xe2\x80\x94will meet with CSMC leadership to discuss strengths and weaknesses of\ninteractions between their organizations and identify any areas in need of\nimprovement.\n\nAs an additional level of protection, internal NAS facility IP demarcation points\nbetween NAS entities and mission-support entities have been identified by FAA as\nrequiring additional IDS sensors to be installed. FAA plans to implement IDS\ncapability at the facilities housing one of the NAS systems (ARTS IIIE) in\n\x0c                                                                                  13\n\n\n\nFebruary 2010. A deployment strategy for the remaining automation systems will\nbe developed in December 2009.\n\nRecommendation 5: Concurred. ATO has recently implemented two process\nimprovements: a Reconciliation of Findings process and an Open Incident\nHandling process, thereby reducing the number of open incidents. In conjunction\nwith CSMC, ATO has taken steps to improve timely response of cyber incidents.\nSpecifically, CSMC and ATO are working together through focused meetings and\ncyber security-related workshops to refine the process of identifying the criticality\nof incidents for remediation. A refined process will be developed in August 2009.\n\n\nACTIONS REQUIRED\nFAA\xe2\x80\x99s actions taken and planned are responsive to our recommendations and are\nconsidered resolved. These actions are also subject to follow-up provisions in\nDepartment of Transportation Order 8000.1C.\n\nWe appreciate the courtesies and cooperation of the FAA Office of the Chief\nInformation Officer, ATO, CSMC, OST, and KPMG representatives during this\naudit. If you have any questions concerning this report, please call me at (202)\n366-1407 or Dr. Ping Z. Sun, Program Director, at (202) 366-1478.\n\n                                         #\n\ncc:    Acting Chief Information Officer, DOT\n       Chief Information Officer, FAA\n       Chief Operating Officer, ATO\n       Martin Gertel, M-1\n       Anthony Williams, ABU-100\n\x0c                                                                                  14\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nThis audit was conducted by KPMG of Washington, D.C., under contract to DOT\nOIG, and by OIG staff. The audit was conducted at FAA Headquarters, CSMC,\nselected FAA facilities and at the FTI operational center in Melbourne, Florida.\n\nOIG staff performed an Internet search and reviewed the ATO Risk Assessment\nProcess Site Survey Plan. The search and review generated two lists of Web\napplications used to support ATC operations. The lists served as a basis for\nKPMG\xe2\x80\x99s conducting the external and internal vulnerability assessment/penetration\ntests. OIG staff also conducted an analysis of significant cyber incidents identified\nby FAA.\n\nKPMG\xe2\x80\x99s detailed methodology is documented in its report.             The following\nsummarizes the contractor\xe2\x80\x99s scope and methodology:\n\n \xc2\xbe The contractor performed an external vulnerability assessment/penetration test\n   by using open-source (freeware) and commercial scanning software. The test\n   was done through an Internet connection at KPMG Headquarters. Based on\n   OIG input, a total of 35 public-accessible Web application computers were\n   included during the test.\n\n \xc2\xbe The contractor performed an internal vulnerability assessment/penetration test\n   by using open-source and commercial scanning software. The test was\n   conducted at FAA Headquarters. Based on OIG input, a total of 35 internal\n   Web application computers were included in the test. To reduce any potential\n   impact on ATC operations, a portion of the test was conducted at night.\n\nOIG staff visited the FTI Security Operations Control Center in Melbourne, Florida,\nand the DOT CSMC in Leesburg, Virginia. We interviewed Center officials,\nexamined available data pertaining to identified cyber incidents, and reviewed\nintrusion-detection monitoring policies and procedures.\n\nThe audit work was performed between June 2008 and January 2009. We\nconducted our audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                           15\n\n\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                           Title\n\nDr. Ping Zhong Sun                             Program Director for IT\n                                               Audit Computer Laboratory\n\nMitchell Balakit                               Contracting Officer\xe2\x80\x99s\n                                               Technical Representative\n\nVasily Gerasimov                               Computer Scientist\n\nMichael P. Fruitman                            Writer-Editor\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0c                                                                                                    16\n\nAPPENDIX A. MANAGEMENT COMMENTS\n\n\n                     Federal Aviation\n                     Administration\n\n Memorandum\n Date:          April 16, 2009\n To:            Rebecca C. Leng, Assistant Inspector General for Financial and Information\n                Technology Audits\n From:          Ramesh K. Punwani, Assistant Administrator for Financial Services/CFO\n Prepared by: Anthony Williams, x79000\n Subject:       OIG Draft Report: Review of Web Applications Security and Intrusion Detection\n                in Air Traffic Control Systems\n\n\n The Federal Aviation Administration (FAA) appreciates the Department of Transportation\n (DOT) Office of the Inspector General (OIG) efforts in the subject draft report that will assist\n FAA in identifying weaknesses in the FAA web infrastructure that have not previously been\n detected.\n\n FAA operates with the ongoing knowledge that Cyber security is one of the key components to\n the safe operation of the National Air Space System (NAS) and Cyber security is a top priority\n for FAA as identified in the FAA Flight Plan. The Air Traffic Organization (ATO) places the\n highest priority on pursuing and maintaining a safe and secure Air Traffic Control (ATC)\n system.\n\n ATO recognizes that constant vigilance and effective and expeditious action are the keys to\n addressing Cyber security in its ATC systems. It has demonstrated its commitment to ensuring\n NAS safety and Cyber security through the extensive measures it has taken to reduce the risk of\n Cyber attack. Some of these steps include: implementing a comprehensive Information System\n Security (ISS) Program in support of Federal Information Security Management Act (FISMA)\n requirements; separating NAS operational ATC systems from Mission Support and\n Administrative systems; identifying and fixing Cyber security weakness in a prioritized process,\n with expedited processes in place to address critical issues identified as high priority; and\n modernizing ATO Cyber security through improvements in processes and technology.\n\n One important element of NAS system Cyber security is the separation of infrastructure\n elements. Specifically, the FAA networking infrastructure is comprised of two major networks\n that are separated physically and logically:\n\n\n\n Appendix A. Management Comments\n\x0c                                                                                                   17\n\xe2\x80\xa2 The FAA Administrative/ATC Mission Support (Admin/MS) Network: Provides Wide\n  Area Network (WAN) support to FAA services, except ATC operations.\n\xe2\x80\xa2 The National Airspace System (NAS) Network: Provides WAN services that support ATC\n  operations. ATC systems are prohibited by FAA Order 1370.95, Wide Area Network\n  Connectivity Security, from directly connecting to the FAA Admin/MS Network or any other\n  on-NAS network.\n\nThe OIG report findings focus entirely on vulnerabilities associated with Admin/MS system\nassets. The OIG used commercially available scanning tools to assess the security of the\nAdmin/MS elements of the ATO infrastructure and vulnerabilities were identified. FAA\nrecognizes the importance of dealing with all identified system vulnerabilities in a logical and\norderly manner, and will treat vulnerabilities identified in the OIG report with the utmost\ndiligence and conduct mitigation to include as many families of vulnerabilities as possible in\nparallel. Immediate attention will be focused on mitigating high and moderate risk\nvulnerabilities in FAA public facing websites and FAA websites that provide Mission Support\nservices.\n\nOIG Recommendation 1: Ensure that all Web applications used in ATC systems are\nconfigured in compliance with Government security standards.\n\nFAA Response: Concur. The FAA Telecommunications Infrastructure (FTI) NAS IP WAN\ncurrently has intrusion-detection-system (IDS) sensors deployed that monitor data flow into and\nout of 27 ATC NAS operational facilities, which provides coverage for all NAS IP connected\nfacilities. In addition, internal NAS facility IP demarcation points between NAS entities and\nMission Support entities have been identified by the FAA as requiring additional IDS sensors to\nbe installed. Vulnerabilities identified in the OIG report will be prioritized based on their level\nof risk and addressed through the ATO Certification and Accreditation (C&A) Remediation\nManagement process. Web applications are also assessed as part of system C&A Risk\nAssessments conducted on a 3-year cycle, and will receive continued scrutiny and attention as\nrisks are identified.\n\nFAA is actively analyzing the OIG audit report raw data, which will correlate OIG report\nfindings to FAA systems so that new Plans of Action and Milestones (POAMs) can be\ndeveloped. The analysis will be complete by April 30, 2009. The FAA uses the DOT Secure\nWeb Application Standards as the basis for securely configuring web applications and will\nensure that the web applications identified in the OIG report are in compliance with these\nstandards. New system POAM items will be developed by July 31, 2009; however, FAA will\ntake immediate corrective action on any critical vulnerabilities.\n\nIn addition, the ATO ISS Program Compliance/Audit Plan ensures that FAA has a valid NAS\nATC operational web application inventory that is configured in accordance with DOT Secure\nWeb Application Standards.\n\nOIG Recommendation 2: Strengthen the patch management process by (a) identifying\nWeb applications with known vulnerabilities, and (b) promptly installing relevant security\npatches in a timely manner.\n\n\n\n\nAppendix A. Management Comments\n\x0c                                                                                                 18\n\n\nFAA Response: Concur. Security patching vulnerabilities identified in the OIG report will be\naddressed via the ATO C&A Remediation Management process. The vulnerabilities identified\nby OIG are being assessed, and remediation actions will be prioritized based on the level of risk\npresented. As part of the ATO ISS Program Compliance/Audit Plan defined in Recommendation\n1, the audit/compliance team will be auditing the existence of appropriate security patches. The\nFAA is analyzing the specific scanning tool report data provided by OIG and is correlating\nfindings to FAA systems for POAM development. Patch implementation will be performed in\naccordance with established FAA configuration management processes. System POAM items\nwill be developed by July 31, 2009; however, FAA will take immediate corrective action on any\ncritical vulnerabilities.\n\nAs part of its standardized process for patch management, ATO Security Certification Teams are\nresponsible for ensuring that patch management procedures are properly developed and\nimplemented. The ATO has developed a Standard Operating Procedure (SOP) template and\nguidance document for the NIST SP 800-53 System Integrity (SI) control family that defines the\npatch management procedures to be implemented for each system. The ATO ISS Program\nconducted a workshop in December 2008 to review the security SOP guidance and ensure that\nSecurity Certification Teams and System Owners understand the procedure development\nrequirements. FAA will continue its efforts to ensure that this process results in the timely and\neffective implementation of system patches.\n\nOIG Recommendation 3: Take immediate action to correct high-risk vulnerabilities and\nestablish a timetable for remediation of all remaining identified during this audit.\n\nFAA Response: Concur. FAA recognizes that the vulnerability scanning tools used to perform\nthe OIG Web Audit did identify some vulnerabilities in the Admin/MS systems. The FAA takes\nall security vulnerabilities very seriously and will ensure that the high rated vulnerabilities that\nare correlated to FAA systems as part of the actions defined in the responses to\nRecommendations 1 and 2 are handled as high priority configuration management changes for\nimmediate implementation. Implementation will be tracked via the POAM process. The FAA is\nnow reviewing the detailed data from the OIG's testing. As part of that review, it is evaluating\nthe extent of which those vulnerabilities identified in the draft report as high risk coincide with\nFAA's definition of high risk and conform to NIST standards. In addition, vulnerabilities\nidentified by FAA internal scans are also receiving priority attention and will be remediated.\nLower priority issues will be addressed as appropriate. The review of vulnerabilities identified\nby the OIG will be completed April 30, 2009. Based on the findings, the FAA will develop a\ntimetable for remediation by July 31, 2009; however, FAA will take immediate corrective action\non any critical vulnerabilities.\n\nOIG Recommendation 4: Resolve differences with Cyber Security Management Center\n(CSMC) and establish a timetable for deploying IDS monitoring devices covering local\narea networks at all ATC facilities.\n\nFAA Response: Concur. FAA intends to ensure that it has a smooth and effective working\nrelationship with the CSMC that is conducive to expeditious and effective interactions. While\nFAA believes that the relationship with CSMC is essentially sound, within 30 days, the FAA\n\n\nAppendix A. Management Comments\n\x0c                                                                                                 19\n\nChief Information Officer (CIO) along with the CIO for ATO will meet with the CSMC\nleadership to discuss strengths and weaknesses of interactions between their organizations and\nidentify any areas in need of improvement. In addition, the FAA CIO is creating service level\nagreements with all FAA lines of business.\n\nIn regard to IDS monitoring devices, FAA has actions underway to complete its network of IDS\nmonitoring systems and is currently implementing and monitoring boundary and internal\nnetwork protection measures.\n\nAs an added measure of NAS operations network protection, the FAA FTI NAS IP WAN\ncurrently has IDS sensors deployed that monitor data flow into and out of 27 ATC NAS\noperational facilities, which provides coverage for all NAS IP connected facilities. The FTI\nNAS IP WAN is configured to provide these IDS sensors with visibility into the data traffic\ntraveling into and out of the NAS operational LAN infrastructures as well as all other NAS IP\nWAN connected facility LANs. This existing configuration allows for reviewing the majority of\nIP data traffic that is used for NAS ATC operational systems. Additionally, the FTI service has a\nSecurity Operations Center that monitors the IDS sensor data and works with appropriate FAA\nCyber security organizations, including the CSMC, to resolve security events.\n\nAs an additional level of protection, internal NAS facility IP demarcation points between NAS\nentities and Mission Support entities have been identified by the FAA as requiring additional\nIDS sensors to be installed. While it would not be appropriate to discuss the specific\ndemarcation points in this memo, FAA would be happy to provide details to the OIG in another\nforum. However, we note that some of these IDS systems will be fully operational this year,\nhaving passed key site testing on March 10, 2009. The current completion date for the\nimplementation of all IDS's at ARTS IIIE facilities is February 2010. A deployment strategy for\nthe remaining automation systems will be developed by December 2009.\n\nOIG Recommendation 5. In conjunction with CSMC officials, identify the information\nneeded for remediation and establish procedures to ensure timely remediation of cyber\nincidents based on criticality as assessed by CSMC.\n\nFAA Response: Concur. The ATO has recently implemented two process improvements: a\nReconciliation of Findings process; and an Open Incident Handling process, thereby reducing the\nnumber of open incidents. The improved processes have reduced the amount of time to respond\nto new CSMC findings, provided more efficient tracking of all open findings, and allowed for\nmore comprehensive documentation and reporting capability.\n\nIn conjunction with CSMC, ATO has taken steps to improve timely response of cyber incidents.\nSpecifically, the CSMC and ATO are working together through focused meetings and cyber\nsecurity related workshops to refine the process of identifying the criticality of information for\nevent remediation. A refined process will be developed by August 2009.\n\n\nS:\\\\ABU-100\\Share\\OIG GAO\\08-30 Web Applications Security doc:ARWilliams 4/16/09\n\n\n\n\nAppendix A. Management Comments\n\x0cThe following pages contain textual versions of the tables and figure found in this\ndocument. These pages were not in the original document but have been added\nhere to accommodate assistive technology.\n\x0c Review of Web Applications Security and Intrusion Detection in Air Traffic\n                            Control Systems.\n\n                     Section 508 Compliance Presentation.\n\n\n\nTable 1. Internet-based and Internal Security Testing Results.\n\n35 Internet-based or public use web applications were tested. On those web based\napplications 212 high risk, 169 medium risk, and 1,037 low risk vulnerabilities\nwere found.\n\n35 internal or Federal Aviation Administration use web applications were tested.\nOn those web based applications 551 high risk, 335 medium risk, and 1,553 low\nrisk vulnerabilities were found.\n\nThe total number of tested web application was 70. A total of 763 high-risk, 504\nmedium-risk and 2,590 low-risk vulnerabilities were found.\n\nSource: KPMG.\n\nFigure 1.      Air Traffic Control Internet Protocol Based Network\nInfrastructure.\n\nThis infrastructure consists primarily of the backbone Federal Aviation\nAdministration Telecommunications Infrastructure and several local area\nnetworks; Federal Aviation Administration relies on this infrastructure to conduct\nAir Traffic Control operations. Air Traffic Control systems are hosted on local\narea networks at Air Traffic Control facilities, which have connections to both\nFederal Aviation Administration Telecommunications Infrastructure operational\nand mission-support networks.\n\n\nTable 2. Cyber Security Management Center Intrusion Detection Systems\nSensor Coverage.\n\nFor the en route centers, the total number of facilities was 21, the number of\nfacilities with Intrusion Detection Systems sensors installed on the Air Traffic\nControl network was 0 and the number of facilities with Intrusion Detection\nSystems sensors installed on the mission-support network was 5.\n\x0cFor the terminal radar approach control facilities, the total number of facilities was\n166. For the airport traffic control towers the number of facilities was 512. For the\ncombined terminal radar approach control facilities and airport traffic control\ntower facilities the number of facilities with Intrusion Detection Systems sensors\ninstalled on the Air Traffic Control network was 0 and the combined number of\nfacilities with Intrusion Detection Systems sensors installed on the mission-\nsupport network was 4.\n\nFor the flight service stations, the total number of facilities was 33, the number of\nfacilities with Intrusion Detection Systems sensors installed on the Air Traffic\nControl network was 0 and the number of facilities with Intrusion Detection\nSystems sensors installed on the mission-support network was 0.\n\nFor the Federal Aviation Administration Technical Center, the total number of\nfacilities was 1, the number of facilities with Intrusion Detection Systems sensors\ninstalled on the Air Traffic Control network was 0 and the number of facilities\nwith Intrusion Detection Systems sensors installed on the mission-support network\nwas 1.\n\nFor the Mike Monroney Aeronautical Center, the total number of facilities was 1,\nthe number of facilities with Intrusion Detection Systems sensors installed on the\nAir Traffic Control network was 0 and the number of facilities with Intrusion\nDetection Systems sensors installed on the mission-support network was 1.\n\nFor the remote sites, the total number of facilities is in the thousands, the number\nof facilities with Intrusion Detection Systems sensors installed on the Air Traffic\nControl network was 0 and the number of facilities with Intrusion Detection\nSystems sensors installed on the mission-support network was 0.\n\nThe total number of major Air Traffic Control facilities was 734, excluding the\nremote sites. The total number of facilities with Intrusion Detection Systems\nsensors installed on the Air Traffic Control network was 0 and the total number of\nfacilities with Intrusion Detection Systems sensors installed on the mission-\nsupport network was 11.\n\nSource: Federal Aviation Administration.\n\x0c"